HITBSecConf2017 Amsterdam (April 10th - 14th)
Register Online Now!
Mega users: If you're hacked once, you're hacked for life
Kim Dotcom's launch of Mega has touted the big tagline of being bigger, better, faster, stronger, and safer, but while Dotcom promises 128 bits of AES encryption and the use of 2048 bits of RSA public/private key infrastructure, I'm not too convinced about the last aspect of his sell: the safety.
Mega's security operates in a different way to a lot of other sites. Its use of public/private pair keys is a good step for ensuring that no one but the owner of the private key pair has the ability to decrypt files that are stored in its cloud service, but it appears to also be tied into the password used to set up the account.
Mega's site states that it is "the master encryption key to all of your data" and that "if you lose it, you lose access to all of your files that are not in a shared folder and that you have no previously exported file or folder key for." However, tying the password deeply into the encryption scheme also means that it is impossible to reset or change a user's password without throwing away the encryption keys. Combined with the current inability for users to close their account and create a new one, and users are stuck with whatever password they signed up with. Hopefully, that wasn't "password," while they figured out whether they wanted to keep using the service.